174e20b7338eac8600a372f40dff420307a5cd50cbf7dd85e90ed69b5b6df02c

General

Target

GOLAYA-SEXY.exe
Size

239KB
MD5

3730b5f97b072915e3543161c40f31a5
SHA1

cf9d927d863408c27eb855b1f213a3be692848b2
SHA256

f6995a80e724cd266992ce7b856085a54e8567466ca1dbe8c3eba8977eb70b9c
SHA512

fa0404bed565520dbc58b1f3b5abd0026ed3979eaaf736811bbed1e1e2523770bfd8b80c01faabf6f57b486e246b0bbcbe009098d27b2c081f8afef8c4f9d0d1
SSDEEP

3072:mBAp5XhKpN4eOyVTGfhEClj8jTk+0hB+iwDomG0Ej+Cgw5CKH6:dbXE9OiTGfhEClq9Q+pD7G0VJJU6

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1676	WScript.exe
4	1676	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\DbIwillencouragimprovementsin.practice	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\DbIwillencouragimprovementsin.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Tosupportprofessionalssucas.educators	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\make_it_now_nuce.bat	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Uninstall.exe	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Uninstall.ini	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Tosupportprofessionalssucas.vbs	cmd.exe
File created	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\make_it_now_nuce.bat	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\DbI will enhance organisational capacity to meet the needs of deafblind.people	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\DbIwillencouragimprovementsin.practice	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\DbIwillencouragimprovementsin.vbs	cmd.exe
File created	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\DbI will enhance organisational capacity to meet the needs of deafblind.people	GOLAYA-SEXY.exe
File opened for modification	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Welcometothenew.home	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Tosupportprofessionalssucas.educators	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Uninstall.exe	GOLAYA-SEXY.exe
File created	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Tosupportprofessionalssucas.vbs	cmd.exe
File created	C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Welcometothenew.home	GOLAYA-SEXY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1088	1880	GOLAYA-SEXY.exe	27
PID 1880 wrote to memory of 1088	1880	GOLAYA-SEXY.exe	27
PID 1880 wrote to memory of 1088	1880	GOLAYA-SEXY.exe	27
PID 1880 wrote to memory of 1088	1880	GOLAYA-SEXY.exe	27
PID 1880 wrote to memory of 1756	1880	GOLAYA-SEXY.exe	29
PID 1880 wrote to memory of 1756	1880	GOLAYA-SEXY.exe	29
PID 1880 wrote to memory of 1756	1880	GOLAYA-SEXY.exe	29
PID 1880 wrote to memory of 1756	1880	GOLAYA-SEXY.exe	29
PID 1880 wrote to memory of 1676	1880	GOLAYA-SEXY.exe	30
PID 1880 wrote to memory of 1676	1880	GOLAYA-SEXY.exe	30
PID 1880 wrote to memory of 1676	1880	GOLAYA-SEXY.exe	30
PID 1880 wrote to memory of 1676	1880	GOLAYA-SEXY.exe	30

C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-SEXY.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\make_it_now_nuce.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:1088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Tosupportprofessionalssucas.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\DbIwillencouragimprovementsin.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\DbIwillencouragimprovementsin.practice

Filesize
165B

MD5
58b23bb8d3cc6122cca4b8fda6fc6d95

SHA1
9b110d3a2ebae69b86b6acf57a0db7b26983ff2e

SHA256
dcb69be9267912859c9b524dbcc219fd90b2e861a27cc044c6007ad7d0ad79e6

SHA512
c818f840e080d194027290bbd7b22b57dd7b02c6a2bf68d6fde101c014d44cfa6c28bb0dea63bebb8165ed7e53f9273ec1ba4b86c03879bdba64e83415713975

Download Submit
C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\DbIwillencouragimprovementsin.vbs

Filesize
165B

MD5
58b23bb8d3cc6122cca4b8fda6fc6d95

SHA1
9b110d3a2ebae69b86b6acf57a0db7b26983ff2e

SHA256
dcb69be9267912859c9b524dbcc219fd90b2e861a27cc044c6007ad7d0ad79e6

SHA512
c818f840e080d194027290bbd7b22b57dd7b02c6a2bf68d6fde101c014d44cfa6c28bb0dea63bebb8165ed7e53f9273ec1ba4b86c03879bdba64e83415713975

Download Submit
C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Tosupportprofessionalssucas.educators

Filesize
718B

MD5
1e62673f38aa090d56fbabb92edd00f9

SHA1
dc87bb0294e1c7c80331d77b51d5532b5edfcf75

SHA256
3b356fd93c5212d3370f267c8a8aa9e216c0310d8ef659c9c039882a0f482180

SHA512
39e710b486210a82aee45a0c996a92a93defe40bbfe6f9a33ff64258910eb99a8a077f9e1f74e0ad5547cb9a5a621d13a5584b1de373ee4f974392c0dd394217

Download Submit
C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Tosupportprofessionalssucas.vbs

Filesize
718B

MD5
1e62673f38aa090d56fbabb92edd00f9

SHA1
dc87bb0294e1c7c80331d77b51d5532b5edfcf75

SHA256
3b356fd93c5212d3370f267c8a8aa9e216c0310d8ef659c9c039882a0f482180

SHA512
39e710b486210a82aee45a0c996a92a93defe40bbfe6f9a33ff64258910eb99a8a077f9e1f74e0ad5547cb9a5a621d13a5584b1de373ee4f974392c0dd394217

Download Submit
C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\Welcometothenew.home

Filesize
117B

MD5
fe39de114462acf258914b91d212ad17

SHA1
64ec11557aa6dec81d19f8bb367651de31f5da64

SHA256
e31dd67c395263da489405007e2a74a08c9cabb7aed09364a3ae90794cf6f401

SHA512
1a0d56e4749029515526cdbe9d87229d23dfa8d0c9dea72fda2b593bf3edafd92724af5277006a9167c940c5511ddd4e5019d9c0d7233aa8ecec20a3d16fb903

Download Submit
C:\Program Files (x86)\suda nana stavit etot soft\111 222 333 444 555\make_it_now_nuce.bat

Filesize
2KB

MD5
4ef391f7bc0c349d62c793b066130e77

SHA1
a7ce780119875d02868fadc733ce15287974cba3

SHA256
2192bd53a1f1139564c0e07f3257d6fcb29adc6fb37e472bc392bed221b5e88c

SHA512
fff96f24aec4c844f6d830f81f6c1da9e91582ec3d39fbf1916fe2a4d94335252eb6606d52d28e5d704e2ece4022b81fa0c9f0ae07a4f18d719715a6354e1a2d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
71d56c63c666019eab63fa6f1cf94f2c

SHA1
e7d92bc7d1d8ce3bcc51f2a0049f21ac1b4f12dc

SHA256
208f28ce8cbf416b8be7beffea105562fffcfdd14cdc370e4519233c46451b53

SHA512
6131b7d16dacf34abaae4426e5507cb5b4df2116145572d3ed2ac0e27ebade53ec0ccc058f353c2519513bf8214d1b822d0d3197fe16bc3c96467dbaa54a1768

Download Submit
memory/1880-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing